On Sat, 18 Jun 2011 00:31:42 +0200, Ian Hickson <i...@hixie.ch> wrote:
The reason we _didn't_ send credentials by default for <img> was that
most cross-origin images are going to be static, and it would be a huge
pain
for the server to have to do per-connection work to determine the HTTP
headers each time. With EventSource, that's a non-issue, since the server
is going to have to do lots of much heavier per-connection work anyway.
I think we should change CORS to allow * for credentialed requests. People
have already asked for that. That would also allow dropping the
crossorigin="" attribute which complicates the request model for the
elements it is applicable to a lot. (Too much, in my opinion.)
(I designed CORS in such a way it could be used for <img> and such without
the need to introduce new syntax.)
--
Anne van Kesteren
http://annevankesteren.nl/
